sbp commented on issue #789: URL: https://github.com/apache/tooling-trusted-releases/issues/789#issuecomment-4039885546
Yeah. The CSRF hook is applied to all routes with the exception of the deliberate exemptions, and it runs before it even gets to our code. The audit tool was only concerned whether the "middleware relies on reading a CSRF token from the request body", so you can see why it was confused: we call the form `Empty` but that actually means `CSRFFieldOnly` in practice. The CSRF field is always applied by `form.py`, including to `Empty`. If it were not applied, the CSRF hook would reject such submissions anyway. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
